International Collaboration to Focus on Medical Cybersecurity

The International Medical Device Regulators Forum (IMDRF; Canberra, Australia), a global congregation of health agencies, is launching a cybersecurity harmonization working group to develop criteria for medical device cybersecurity standards.

The new working group, co-chaired by the U.S. and Canada, aims to produce an international guidance document that provides regulatory definitions of the critical terms of cybersecurity, such as privacy, exploit, theft, threat, vulnerability, harm and others. It will also outline the cybersecurity responsibilities shared between all stakeholders, as well as explore the adoption of coordinated policies for the public disclosure of device vulnerabilities. The completed guidance document is due to be presented at the IMDRF September 2019 meeting, to be held in Russia.

In addition to an international guidance document, the IMDRF standards working group will aim to help assure international standards development organizations (SDOs) produce relevant regulatory-grade work, so it can be used to aid agency decision-making. A critical aspect is that these standards must include validated methodologies and measurements for success. To address that, the IMDRF also plans to publish a document on optimizing standards for regulatory use, and will liaise more closely with country SDOs.

“One of the reasons that we do not recognize standards is because there’s not an objective basis for determining conformance with the standards. We've been finding that a number of these standard development organizations are not taking the voice of regulators into account,” said leader of the U.S. delegation Jeff Shuren, director of the FDA Center for Devices and Radiological Health (CDRH). “What you're going to see is IMDRF coming together as an organization, with all of the participating countries saying, with one voice, that you need to take our issues into account or we're not going to recognize your standards.”

Cybersecurity threats to medical devices and exploitation of cybersecurity vulnerabilities present a potential risk to the safety and effectiveness of such devices. While manufacturers can incorporate controls in the design of a product to help prevent these risks, they must also consider improvements during maintenance of devices, since the evolving nature of cyberthreats means risks may arise throughout a device’s entire lifecycle. A structured and systematic comprehensive approach that responds in a timely fashion to identified vulnerabilities is thus warranted.

Related Links:
International Medical Device Regulators Forum